CVE-2022-50944 HIGH

CVE-2022-50944: Aero CMS 0.0.1 PHP Code Injection via posts.php

Vendor Megatkc

Product Aero CMS

Weakness CWE-94 · Code injection

Published May 10, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.

Key dates

Disclosure timeline

May 10, 2026 CVE published

May 11, 2026 Record updated